Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.186...7.21.0-rc.187

• Add support for docker.elastic.co/elasticsearch/elasticsearch #50119
• Narrow the scope of icons pattern to /icons/icon-* #50084
• Add configuration options for KafkaTemplate's allowNonTransactional and closeTimeout #49954
• Align ReactorHttpClientBuilder defaults with Spring Framework and provide an opt-out #49950
• Add support for providing a custom SessionTimeout bean #49883
• Add support for Redis Annotation driven listeners #49858
• Support spring.webflux.default-html-escape property for application-wide HTML escaping configuration #49791
• Add fallback support for '/opt/homebrew/bin' on macOS #49721
• Support InetAddress filtering for HTTP Clients #49687
• Monitor certificates from truststore in SslMeterBinder #49641
• Enable ansi support by default on Windows 11+ #49571
• Add '@GrpcAdvice' exception handling support #49053
• Add support for OpenTelemetry SDK environment variables #48799
• Add ability to read custom layers.xml from classpath #32466
• Support LazyConnectionDataSourceProxy #15480

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50190
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50189
• ApplicationPidFileWriter does not handle symlinks correctly #50186
• RandomValuePropertySource is not suitable for secrets #50184
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50182
• ApplicationTemp does not handle symlinks correctly #50179
• Remote DevTools performs comparison incorrectly #50177
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50175
• GrpcDisableCsrfHttpConfigurer incorrectly uses inverse of 'spring.grpc.server.security.csrf.enabled' property #50145
• API versioning path strategy should be applied path last as it is not meant to yield #50127
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50078
• Classic starters are missing several modules #50072
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50070
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50065
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50040
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50018
• Imports on a containing test class are ignored when a nested class has imports #50013
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49988
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49958
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49957
• 500 response from env endpoint when supplied pattern is invalid #49947
• HTTP method is lost when configuring excludes in EndpointRequest #49944
• Honor HttpMethod for reactive additional endpoint paths #49881
• Docker Compose support doesn't work with apache/artemis image #49870
• Docker Compose support doesn't work with apache/activemq image #49867
• ReactiveOAuth2ResourceServerAutoConfiguration should trigger only on real Reactive Applications #49807
• Test starters 'spring-boot-starter-grpc-client-test' and 'spring-boot-starter-grpc-server-test' are missing #49690
• Properties in '@ConfigurationProperties' annotated type shouldn't be able to define the same '@Name' #49565
• Distribution's SLO, minimum expected value, and maximum expected value are not applied to long task timer meters #49190
• WebConversionService breaks embedded value resolving #8923

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50147
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50128
• Link to the observability section of the Lettuce documentation is broken #50098
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50086
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50025
• Move OAuth2 and SAML 2.0 documentation to a security section #50022
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50020
• Link to the Kubernetes documentation when discussing startup probes #50016
• Document missing gRPC's default unit in GrpcClientProperties #49879
• Document the need for Liquibase and Flyway starters #49875
• Typo in JdbcSessionAutoConfiguration Javadoc #49874
• Clarify that configuration property default values are not available through the Environment #49852
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49834
• Document gRPC Support #49291

• Upgrade to ActiveMQ 6.2.4 #50002
• Upgrade to Byte Buddy 1.18.8 #49922
• Upgrade to Couchbase Client 3.11.2 #50066
• Upgrade to Ehcache3 3.12.0 #49923
• Upgrade to Elasticsearch Client 9.3.4 #50099
• Upgrade to Flyway 12.4.0 #50079
• Upgrade to Git Commit ID Maven Plugin 9.2.0 #49925
• Upgrade to Groovy 5.0.5 #49926
• Upgrade to Hibernate 7.2.12.Final #50136
• Upgrade to HttpClient5 5.6.1 #50137
• Upgrade to Infinispan 16.1.3 #49928
• Upgrade to Jackson Bom 3.1.2 #50055
• Upgrade to Jaxen 2.0.1 #50106
• Upgrade to Jaybird 6.0.5 #49930
• Upgrade to Jedis 7.4.1 #50030
• Upgrade to Jetty 12.1.8 #49931
• Upgrade to jOOQ 3.21.2 #50107
• Upgrade to Kotlin Serialization 1.11.0 #50138
• Upgrade to Lettuce 7.5.1.RELEASE #50031
• Upgrade to Log4j2 2.25.4 #49933
• Upgrade to Lombok 1.18.46 #50154
• Upgrade to MariaDB 3.5.8 #49934
• Upgrade to Micrometer 1.17.0-RC1 #49990
• Upgrade to Micrometer Tracing 1.7.0-RC1 #49991
• Upgrade to MySQL 9.7.0 #50160
• Upgrade to Native Build Tools Plugin 1.0.0 #49920
• Upgrade to Native Build Tools Plugin 1.1.0 #48968
• Upgrade to Neo4j Java Driver 6.0.5 #50076
• Upgrade to OpenTelemetry 1.60.1 #50004
• Upgrade to Protobuf Common Protos 2.70.0 #50080
• Upgrade to Protobuf Maven Plugin 5.1.3 #50056
• Upgrade to Pulsar 4.2.0 #49900
• Upgrade to Rabbit AMQP Client 5.30.0 #50081
• Upgrade to Rabbit Stream Client 1.6.0 #50082
• Upgrade to Reactor Bom 2025.0.5 #49992
• Upgrade to Selenium 4.43.0 #50057
• Upgrade to Selenium HtmlUnit 4.43.0 #50058
• Upgrade to Spring AMQP 4.1.0-RC1 #49993
• Upgrade to Spring Data Bom 2026.0.0-RC1 #49994
• Upgrade to Spring Framework 7.0.7 #49995
• Upgrade to Spring GraphQL 2.0.3 #49996
• Upgrade to Spring gRPC 1.1.0-RC1 #50157
• Upgrade to Spring HATEOAS 3.1.0-RC1 #50108
• Upgrade to Spring Integration 7.1.0-RC1 #49997
• Upgrade to Spring Kafka 4.1.0-RC1 #49998
• Upgrade to Spring LDAP 4.1.0-RC1 #49999
• Upgrade to Spring Pulsar 2.0.5 #50000
• Upgrade to Spring Security 7.1.0-RC1 #50001
• Upgrade to Spring Session 4.1.0-RC1 #50144
• Upgrade to SQLite JDBC 3.53.0.0 #50068
• Upgrade to Testcontainers 2.0.5 #50139
• Upgrade to Thymeleaf 3.1.5.RELEASE #50155
• Upgrade to Thymeleaf Extras SpringSecurity 3.1.5.RELEASE #50156
• Upgrade to Tomcat 11.0.21 #49936

Thank you to all the contributors who worked on this release:

@GollapudiSrikanth, @MohammedGhallab, @bachhs, @bartsopers, @bbbbooo, @dlwldnjs1009, @edwardsre, @erichaagdev, @froggy-hyun, @husseinvr97, @itsmevichu, @kodama-kcc, @kwondh5217, @onobc, @plumstone, @ppapaj, @quaff, @refeccd, @scordio, and @xxxxxxjun

• Default security is misconfigured when spring-boot-actuator-autoconfigure is present and spring-boot-health is not #50188
• Elasticsearch Rest5Client auto-configuration misconfigures underlying HTTP client #50187
• ApplicationPidFileWriter does not handle symlinks correctly #50185
• RandomValuePropertySource is not suitable for secrets #50183
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50180
• ApplicationTemp does not handle symlinks correctly #50178
• Remote DevTools performs comparison incorrectly #50176
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50174
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50077
• Classic starters are missing several modules #50071
• Module spring-boot-resttestclient is missing from spring-boot-starter-test-classic #50069
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50064
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50039
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50017
• Imports on a containing test class are ignored when a nested class has imports #50012
• With spring.jackson.use-jackson2-defaults set to true, FAIL_ON_UNKNOWN_PROPERTIES is enabled #49951
• 500 response from env endpoint when supplied pattern is invalid #49946
• Reactive MongoDB starter has a transitive dependency on the synchronous MongoDB driver #49945
• HTTP method is lost when configuring excludes in EndpointRequest #49943
• Honor HttpMethod for reactive additional endpoint paths #49880
• Docker Compose support doesn't work with apache/artemis image #49869
• Docker Compose support doesn't work with apache/activemq image #49866
• Spring Security's PathPatternRequestMatcher.Builder is not auto-configured when using WebMvcTest and spring-boot-security-test #49854
• API versioning path strategy should be applied path last as it is not meant to yield #49800

• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #50146
• HTTP Service Interface Clients still document that API versioning can be configured via properties #50126
• Link to the observability section of the Lettuce documentation is broken #50097
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50085
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50024
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50019
• Link to the Kubernetes documentation when discussing startup probes #50015
• Typo in JdbcSessionAutoConfiguration Javadoc #49873
• Clarify that configuration property default values are not available through the Environment #49851
• Document the need for Liquibase and Flyway starters #49839
• Kafka documentation refers to deprecated JSON serializer and deserializer classes #49826

• Upgrade to Elasticsearch Client 9.2.8 #50027
• Upgrade to Groovy 5.0.5 #49911
• Upgrade to Hibernate 7.2.12.Final #50134
• Upgrade to Jackson Bom 3.1.2 #50051
• Upgrade to Jaxen 2.0.1 #50104
• Upgrade to Jaybird 6.0.5 #49914
• Upgrade to Jetty 12.1.8 #49915
• Upgrade to jOOQ 3.19.32 #50105
• Upgrade to Log4j2 2.25.4 #49916
• Upgrade to Lombok 1.18.46 #50150
• Upgrade to MariaDB 3.5.8 #49917
• Upgrade to Micrometer 1.16.5 #49972
• Upgrade to Micrometer Tracing 1.6.5 #49973
• Upgrade to MongoDB 5.6.5 #50028
• Upgrade to MySQL 9.7.0 #50159
• Upgrade to Neo4j Java Driver 6.0.5 #50075
• Upgrade to Reactor Bom 2025.0.5 #49974
• Upgrade to Spring AMQP 4.0.3 #49975
• Upgrade to Spring Data Bom 2025.1.5 #49976
• Upgrade to Spring Framework 7.0.7 #49977
• Upgrade to Spring GraphQL 2.0.3 #49978
• Upgrade to Spring Kafka 4.0.5 #49979
• Upgrade to Spring LDAP 4.0.3 #49980
• Upgrade to Spring Pulsar 2.0.5 #49981
• Upgrade to Spring Security 7.0.5 #49982
• Upgrade to Spring Session 4.0.3 #49983
• Upgrade to Testcontainers 2.0.5 #50135
• Upgrade to Thymeleaf 3.1.5.RELEASE #50152
• Upgrade to Thymeleaf Extras SpringSecurity 3.1.5.RELEASE #50153
• Upgrade to Tomcat 11.0.21 #49918

Thank you to all the contributors who worked on this release:

@GollapudiSrikanth, @MohammedGhallab, @bachhs, @dlwldnjs1009, @edwardsre, @kodama-kcc, @kwondh5217, @ppapaj, @quaff, @refeccd, @scordio, and @xxxxxxjun

• ApplicationPidFileWriter does not handle symlinks correctly #50173
• RandomValuePropertySource is not suitable for secrets #50172
• Cassandra auto-configuration misconfigures CqlSessionBuilder #50171
• ApplicationTemp does not handle symlinks correctly #50170
• Remote DevTools performs comparison incorrectly #50169
• spring.rabbitmq.ssl.verify-hostname is applied inconsistently #50168
• EnversRevisionRepositoriesRegistrar should reuse @EnableEnversRepositories rather than configuring the JPA counterpart #50035
• Annotations like @Ssl don't work on @Bean methods when using @ServiceConnection #50033
• Whole number values are ignored when configuring min and max expected values and SLO boundaries for a distribution summary meter #50021
• WebFlux Cloud Foundry links endpoint includes query string from received request in resolved links #50008
• 500 response from env endpoint when supplied pattern is invalid #49942
• HTTP method is lost when configuring excludes in EndpointRequest #49885
• Docker Compose support doesn't work with apache/artemis image #49865
• Honor HttpMethod for reactive additional endpoint paths #49864
• Docker Compose support doesn't work with apache/activemq image #49863
• Imports on a containing test class are ignored when a nested class has imports #49860

• Link to the observability section of the Lettuce documentation is broken #50092
• Javadoc for StaticResourceLocation.FAVICON doesn't describe icons location #50083
• MySamlRelyingPartyConfiguration is missing a Kotlin sample #50023
• Incorrect default value for management.httpexchanges.recording.include in configuration metadata #50010
• Link to the Kubernetes documentation when discussing startup probes #50007
• Update docs to encourage Java fundamentals for beginners that prefer to learn that way #49895
• Clarify that configuration property default values are not available through the Environment #49835

• Upgrade to Groovy 4.0.31 #49905
• Upgrade to Hibernate 6.6.49.Final #50140
• Upgrade to Jaxen 2.0.1 #50109
• Upgrade to Jaybird 6.0.5 #49907
• Upgrade to Jetty 12.0.34 #49908
• Upgrade to jOOQ 3.19.32 #50110
• Upgrade to Lombok 1.18.46 #50148
• Upgrade to MariaDB 3.5.8 #49909
• Upgrade to Micrometer 1.15.11 #49961
• Upgrade to Micrometer Tracing 1.5.11 #49962
• Upgrade to MySQL 9.7.0 #50161
• Upgrade to Neo4j Java Driver 5.28.13 #50074
• Upgrade to Reactor Bom 2024.0.17 #49963
• Upgrade to Spring AMQP 3.2.10 #49964
• Upgrade to Spring Authorization Server 1.5.7 #49965
• Upgrade to Spring Data Bom 2025.0.11 #49966
• Upgrade to Spring Framework 6.2.18 #49967
• Upgrade to Spring Kafka 3.3.15 #50129
• Upgrade to Spring LDAP 3.3.7 #49968
• Upgrade to Spring Pulsar 1.2.17 #49969
• Upgrade to Spring Security 6.5.10 #49970
• Upgrade to Spring Session 3.5.6 #49971
• Upgrade to Thymeleaf 3.1.5.RELEASE #50149
• Upgrade to Thymeleaf Extras SpringSecurity 3.1.5.RELEASE #50151
• Upgrade to Tomcat 10.1.54 #49910

Thank you to all the contributors who worked on this release:

@MohammedGhallab, @dlwldnjs1009, @edwardsre, @kodama-kcc, @kwondh5217, @quaff, @refeccd, and @scordio

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.185...7.21.0-rc.186

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.184...7.21.0-rc.185

This is the 26.0 release of graphql-java. Highlights are summarized below; the full list of merged PRs is at the end.

New QueryComplexityLimits validation checks maxDepth (default 100) and maxFieldsCount (default 100,000) as part of standard validation. Queries exceeding these limits will now fail with new MaxQueryDepthExceeded / MaxQueryFieldsExceeded validation errors.

• Set custom limits via GraphQLContext using QueryComplexityLimits.KEY.
• Disable entirely with QueryComplexityLimits.NONE.

Introduced in #4256.

In #4228 the rule-filter predicate changed from Predicate<Class<?>> to Predicate<OperationValidationRule> in Validator.validateDocument(...) and ParseAndValidate.parseAndValidate(...). Callers that filtered by class (e.g. rule -> rule != NoUnusedFragments.class) must migrate to the enum (rule -> rule != OperationValidationRule.NO_UNUSED_FRAGMENTS). The @Internal classes AbstractRule and RulesVisitor were removed.

• DirectiveInfo was removed. Replace usages:
  • DirectiveInfo.isGraphqlSpecifiedDirective(...) → Directives.isBuiltInDirective(...)
  • DirectiveInfo.GRAPHQL_SPECIFICATION_DIRECTIVES → Directives.BUILT_IN_DIRECTIVES
  • DirectiveInfo.GRAPHQL_SPECIFICATION_DIRECTIVE_MAP → Directives.BUILT_IN_DIRECTIVES_MAP
• Directive ordering is now consistent: all 7 built-in directives appear first, followed by user-defined directives.
• GraphQLSchema.Builder.clearDirectives() was initially removed then re-added in #4276 with new semantics — it clears all additionalDirectives, but built-in directives are always re-added automatically at build time.

New validator rejects OneOf input types that cannot be populated with a finite value (e.g. input A @oneOf { a: A }). Schemas that previously validated may now be rejected.

Code-built schemas now perform the same deprecated-on-non-null field validation as SDL-built ones. Schemas relying on the gap may now fail validation.

The return type was incorrectly annotated nullable. Callers may now drop redundant null checks; downstream nullness tooling will reflect the change.

Waves 2 and 3 (#4184, #4274) plus many individual PRs annotated hundreds of classes across graphql.analysis, graphql.execution, graphql.language, graphql.schema and others with @NullMarked/@NullUnmarked/@Nullable. Kotlin and other null-aware callers will now see stricter nullability contracts; code that relied on previously-permissive signatures may need adjustment.

• GraphQLSchema.FastBuilder (#4197) — a more restrictive but ~5× faster schema builder that reduces both time and memory for large schemas.
• Query complexity limits (#4256) — depth/field-count guardrails baked into validation (see breaking changes above for the enforcement side).
• QueryAppliedDirective on operations and documents (#4297) — directives applied at the operation/document level are now exposed as QueryAppliedDirectives.
• New instrumentation hook for post-exception-handling results (#4206, #4207) — observe the DataFetcherResult after DataFetcherExceptionHandler has mapped exceptions to errors. ChainedInstrumentation delegates the new hook correctly.
• Generic DataFetcherResult.newBuilder(T data) (#4254) — removes the need for explicit type witnesses on the common DataFetcherResult.<T>newResult().data(x)... pattern.
• Re-added GraphQLSchema.Builder.clearDirectives() (#4276) — useful with GraphQLSchema.transform to rewrite non-built-in directives; built-ins are always re-added.
• toString() on AST directives holders (#4195).

• Incremental @defer execution starts earlier (#4174) — begins processing deferred payloads as soon as the first incremental call is detected instead of waiting for the initial result to complete.
• Validation consolidation (#4228) — all operation validation rules run in a single OperationValidator pass, significantly cutting validation overhead.
• Reduced allocations on the execution hot path (#4252):
  • Async$Many.materialisedList() — replaced ArrayList copy with a zero-copy Arrays.asList() wrapper.
  • ResultPath.toStringValue — lazy computation; the string form is only built on first toString() (typically only during error reporting).
  • New GraphQLCodeRegistry.getDataFetcher(String, String, GraphQLFieldDefinition) overload avoiding per-fetch FieldCoordinates allocations (~54 KB/op reduction).
• FastBuilder for schema construction (#4197) — see New Features.
• Fixed ShallowTypeRefCollector to also resolve type refs inside applied directive arguments and enum value definitions (#4288) — correctness fix enabling FastBuilder to be used on more schemas.

• DataLoader dispatch with multiple @defer fragments (#4270) — fixes a case where DataLoaders were not dispatched correctly when multiple deferred fragments were in play.
• CompletionStageSubscriber race condition (#4296) — completion signal could be lost if an in-flight CompletionStage resolved concurrently. Fix is backed by new jcstress stress tests.
• PropertyDataFetcher on non-public classes (#4287) — properties on non-public classes that implement public interfaces (e.g. TreeMap.Entry) now fetch correctly on Java 16+ by searching public interfaces.
• ExecutableNormalizedField respects GraphqlFieldVisibility (#4204) — selection-set APIs now use the schema's configured visibility instead of going straight to the type.
• ScheduledDataLoaderRegistry "dispatch all" fix (#4164).
• ChainedInstrumentation onExceptionHandled delegation (#4207).

• Fixes for complex field-visibility transformer cases and schema transformation when deletions cascade (#4203, #4205, #4208, #4209, #4212, #4213, #4275).
• Overlapping-fields null-type regression fixed (#4291).
• GraphQLTypeCollectingVisitor now recursively traverses indirect strong references (#4213).
• SchemaTraverser::depthFirst overload signature fix (#4165).

• Bytecode-modified classes no longer ship in published JARs (#4343) — the @Generated annotation injected for coverage reporting was leaking into published artifacts. JARs now contain pristine compiler output.
• Trojan Source / glassworm Unicode detection (#4344) — pre-commit hook and CI workflow now reject dangerous BiDi/zero-width/control characters in source.
• Windows compatibility (#4239) — removed colons from performance-results/ filenames, split the oversized large-schema-5.graphqls, added pre-commit + CI checks.

• getDataLoader type bounds improved (#4180).
• Build and test on Java 25 (#4173, #4330).
• Many dependency updates (Reactor, Jackson, Kotlin, Groovy, Gradle, ByteBuddy, errorprone, etc.) across the release.

Full Changelog: https://github.com/graphql-java/graphql-java/compare/v25.0...v26.0

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.183...7.21.0-rc.184

• Bump com.fasterxml.jackson.core:jackson-databind from 2.18.5 to 2.18.6 #3687
• Bump io.projectreactor:reactor-bom from 2024.0.15 to 2024.0.16 #3701
• Bump io.projectreactor:reactor-bom from 2024.0.16 to 2024.0.17 #3741
• Bump io.spring.gradle:spring-security-release-plugin from 1.0.14 to 1.0.15 #3710
• Bump org.mariadb.jdbc:mariadb-java-client from 3.5.7 to 3.5.8 #3735
• Bump org.springframework.boot:spring-boot-gradle-plugin from 3.5.11-SNAPSHOT to 3.5.12-SNAPSHOT #3686
• Bump org.springframework.boot:spring-boot-gradle-plugin from 3.5.12-SNAPSHOT to 3.5.13-SNAPSHOT #3713
• Bump org.springframework.boot:spring-boot-gradle-plugin from 3.5.13-SNAPSHOT to 3.5.14-SNAPSHOT #3727
• Bump org.springframework.data:spring-data-bom from 2025.0.10 to 2025.0.11 #3747
• Bump org.springframework.data:spring-data-bom from 2025.0.9 to 2025.0.10 #3707
• Bump org.springframework.security:spring-security-bom from 6.5.8 to 6.5.9 #3711
• Bump org.springframework.security:spring-security-bom from 6.5.9 to 6.5.10 #3751
• Bump org.springframework:spring-framework-bom from 6.2.16 to 6.2.17 #3706
• Bump org.springframework:spring-framework-bom from 6.2.17 to 6.2.18 #3748
• Release 3.5.6 #3684